Scan the helm chart for security issues

This scans the helm chart using the trivy action to ensure we don't have any obvious security vulnerabilities. Unfortuantely, trivy does not do a great job at detecting a helm chart within a repo, so we need to point it directly to it. Closes infratographer#90 Signed-off-by: Juan Antonio Osorio <[email protected]>
JAORMX · Mar 2, 2023 · bf82fe0 · bf82fe0
1 parent 7b9391c
commit bf82fe0
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 8 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -13,8 +13,8 @@ on:
     - cron: '23 20 * * 2'
 
 jobs:
-  scan-trivy:
-    name: sec-scan-trivy
+  repository-scan:
+    name: Repository scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout 
@@ -35,3 +35,27 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: 'trivy-results.sarif'
+
+  helm-scan:
+    name: Helm scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          security-checks: 'vuln,config,secret'
+          scan-ref: 'chart'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-helm-results.sarif'
+          severity: 'HIGH,CRITICAL'
+          skip-dirs: 'tests'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-helm-results.sarif'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -62,20 +62,17 @@ jobs:
           load: true
           tags: ghcr.io/infratographer/fertilesoil/treeman:latest
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner on container image
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ghcr.io/infratographer/fertilesoil/treeman:latest
           security-checks: 'vuln,config,secret'
           ignore-unfixed: true
           severity: 'HIGH,CRITICAL'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-img-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Inspect action SARIF report
-        run: cat 'trivy-results.sarif'
+          sarif_file: 'trivy-img-results.sarif'